Thanks Tom, so the when the number of connections allowed is reached,
iptables just bypass the rule and then it falls in the defaul policy which
i am not loggin it, so by adding the DROP rule it catch the bypassed packet
and loggit?
If i undestand correctly, i just need the DNSDDOS and DROP rules? It will
drop ddos packets and additional will apply the limit.
On Fri, Oct 7, 2016 at 10:19 AM, Tom Eastep <[email protected]> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> On 10/07/2016 08:22 AM, Miguel Miranda wrote:
> > Hello to all, i have two questions:
> >
> > 1. I want to mitigate DDOS attacks to my dns servers, to implement
> > this i have configured rate limit as per docs:
> >
> >
> > ACCEPT net $FW udp 53 -
> > - s:powerdns:10/sec:100
> >
> > I have verified that the rate limit is working by sending more than
> > 100 qps and i start to get errors with dns resolver, so i guess the
> > limit is working, however i would like to see in the logs the
> > packets dropped so i can revie who is attacking my server and if
> > the limit is affecting valid customers, if so i will rise the
> > burst. if i try this
> >
> > ACCEPT:info net $FW udp 53
> > - - s:powerdns:10/sec:100
> >
> >
> > I see all the traffic, i just want to see the abnormal dropped
> > traffic.
> >
>
> Simply add
>
> DROP:info net $FW udp 53
>
> After your rate-limited ACCEPT rule.
>
> > 2. Are this 2 rules equivalent, the second one using the DDOS
> > action created by Tom:
> >
> >
> > DNSDDOS net $FW udp 53 -
> > - s:powerdns:10/sec:100
> >
>
> This rule will drop DDOS packets that are within the rate; the first
> rule above will not.
>
> - -Tom
> - --
> Tom Eastep \ When I die, I want to go like my Grandfather who
> Shoreline, \ died peacefully in his sleep. Not screaming like
> Washington, USA \ all of the passengers in his car
> http://shorewall.net \________________________________________________
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
> Comment: GPGTools - http://gpgtools.org
>
> iQIcBAEBCAAGBQJX98soAAoJEJbms/JCOk0QUGoP/3NsAVQtl9oKws+mXnG8NMuo
> qr+kQ/ZpC6jwlFP5RxVfGLnSne1Yp8m8UDtqcRV/d+CNz+eD7EzE/rgfTaWYmA9S
> p/CwKwlTqlXSOIcaNoyTIPP63SIbC8UaCMjU6VcrmY+ApCBabMUbQRtqnujZ2yiR
> l9PCRb9zKAM+u51HN+LiYR6X5UmyFlv/b2r3Iz7ehWuGPpmd9oKLq+Uj7QWc9gyH
> 8cXU3f6hSirIxyamthkVY2ktR8wUyKf+EU12Fd4lr3CtfebUWCvOqi0Gj6KwVka9
> lxeyeY+5ARtheIfhgDtmS96VAUDtrAiaenLFVPB+9nryPDPAWNU/7hiacH7uTiOt
> h9R2qpIstfrp2VHd8bjWLr5drNhDWUg08AiqBk4IJPafqpBBqAuCvbsAhvTM0WIy
> rK2HEwUyUy2OAZFsxRM/MzG5qkXGlGDRWDsOBXnJUKmh1pnep7HlU9tfyfX0GOeS
> EvP1V8twUvxdjFEiwoU1p2WV+Ec1hJ1MeQLAKh60yR0eev6Vv4Go1nFLvTwwdXvt
> GQVQkmSsqVDAAA5/PKZcOtXuzsSTeaSzAXVlRDc1qrNEYpKVBXOSN0Xop1IovGTq
> AXNNqZTdW1qYoBNTyGni3bivJZuRMKViGV5+weAQxIKtF2NeTTEHupVQ2oBI/4wO
> AXgrjMzl91O8hNHz85hq
> =AJaU
> -----END PGP SIGNATURE-----
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> Shorewall-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
